From 6d8d84224759ba7570477d47c6a16e5a270367bb Mon Sep 17 00:00:00 2001 From: LP Date: Thu, 21 May 2026 02:13:59 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20remove=20existing=5Fapp=5Fid=20from=2040?= =?UTF-8?q?9=20response=20+=20clarify=20recovery=20instructions=20?= =?UTF-8?q?=E2=80=94=20closes=20#50?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Removes existing_app_id from the EMAIL_ALREADY_REGISTERED 409 response to prevent unauthenticated app_id enumeration via email probing. Updates the recovery message to describe the correct human-mediated flow: trigger a BOTCHA code email, then visit botcha.ai/Account to retrieve the app_id. Co-Authored-By: Claude Sonnet 4.6 --- packages/cloudflare-workers/src/index.tsx | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/packages/cloudflare-workers/src/index.tsx b/packages/cloudflare-workers/src/index.tsx index 7e593aa..f88a276 100644 --- a/packages/cloudflare-workers/src/index.tsx +++ b/packages/cloudflare-workers/src/index.tsx @@ -2246,8 +2246,7 @@ app.post('/v1/apps', async (c) => { success: false, error: 'EMAIL_ALREADY_REGISTERED', message: `Email ${error.email} is already registered.`, - existing_app_id: error.existing_app_id, - recovery: `POST /v1/auth/recover with { "email": "${error.email}" } to recover your credentials.`, + recovery: `POST /v1/auth/recover with { "email": "${error.email}" } to receive a BOTCHA code by email. Your human can then visit https://botcha.ai, click "Account", and enter the code to retrieve their app_id and share it with you.`, }, 409); } return c.json({